NetFlow is a network protocol that collects information about your network’s IP traffic and monitors network traffic activity. In this blog, we are going to review a number of NetFlow tools. We have already posted a blog about NetFlow on this site, which we recommend you read before continuing to read this post:
NetFlow is in its ninth version now. You can download Flexible NetFlow and IPFIX extensions.
NetFlow gathers all the data pulled from IP traffic leaving the device, inspects all the packets, and consolidates them into flows based on particular areas. Except for layer 3 protocols and router/switch interface, packets meeting all seven of the criteria above are grouped together. After their bytes and packets are tallied up, these compartmentalized flows are exported to a NetFlow collector. (Source: dnsstuff.com)
What’s sFlow?
sFlow, short for “sampled flow”, is an industry standard for packet export at Layer 2 of the OSI model. The current version of sFlow is v5. In fact, sFlow is a packet-sampling technology, rather than a “flow-sampling” technology. An IP flow is defined as a series of IP packets moving from a source to a destination, through a particular port. While technologies like NetFlow and J-Flow sample a part of each IP flow, sFlow samples 1 in N of each packet passing through the interface, irrespective of the flow.
The difference between sFlow and NetFlow is that NetFlow uses templates, while sFlow is a NetFlow alternative using protocol extensions rather than templates. SFlow takes the bytes from these samplings, transforms them into sFlow datagrams, and sends them off to the sFlow collector.
There are four major differences between NetFlow and sFlow:
- sFlow is more scalable than NetFlow.
- sFlow doesn’t deal with the network devices.
- NetFlow interacts with IP only, but sFlow covers layers 2 through 7.
- With NetFlow, latency can be higher than with sFlow.
TOP 8
In this blog, we review eight popular tools in the field of NetFlow analysis. Before doing anything, let’s take a look at the members of this list:
- SolarWinds Real-Time NetFlow Analyzer
- Wireshark
- Paessler PRTG Network Monitor
- ManageEngine NetFlow Analyzer
- SolarWinds NetFlow Traffic Analyzer
- Colasoft Capsa Free
- SolarWinds Engineer’s Toolset
- Kentik Detect
SolarWinds Real-Time NetFlow Analyzer
This software can find and identify anything—applications, users, individual devices, IP addresses, etc.—eating up bandwidth. You can use this information to troubleshoot with amazing accuracy and eliminate network lag.This software is one of the more popular tools available to download free.
Installation is via a standard Windows setup wizard, and the NetFlow Configurator is included to assist in configuring the NetFlow collector and your devices that support various NetFlow variants.
The free version is focused on displaying the current and recent state of your bandwidth usage. It’s limited to one NetFlow interface and 60 minutes of data. Flow technologies supported include NetFlow, Juniper’s J-Flow, IPFIX, and Huawei’s netstream. The network analyzer identifies which devices/IP addresses, apps, and users are consuming the most bandwidth. The user interface displays inbound and outbound traffic for the chosen NetFlow exporter; traffic can be sorted and displayed in various ways.
Source: solarwinds.com
Wireshark
Wireshark is another free, open-source NetFlow reporting tool. It is cross-platform and can run on Linux, Windows, MacOS X, Solaris, and other platforms.
We have already published an article about Wireshark on this site: Read about Wireshark
Anyone who needs to monitor their network can benefit from Wireshark’s user-friendly interface, scalability, and versatility. Wireshark lets you view captured data via a GUI, or you can use the TTY-mode TShark utility. Its features include capture and analysis of VoIP traffic, show live data from Ethernet, IEEE 802.11, Bluetooth, USB, and others, output data to XML, CSV, or plain text, decryption support, and more.
Wireshark pulls all kinds of traffic from network and analyzes it by capturing and monitoring packets. Wireshark has capture and display filters to optimize NetFlow reporting. Capture filters enable you to block out certain traffic based on size alone, while display filters break down traffic data you’ve recorded in the past.
Source: dnsstuff.com
Paessler PRTG Network Monitor
PRTG is one of the most popular network monitoring tools and we have already published a blog on this site that you should read:
Read about PRTG Network Monitor
The Freeware version gives you 30 days of unlimited sensors, then 100 sensors free after that.
PRTG Network Monitor has a sensor for NetFlow (NetFlow v9 sensor). This sensor can show the following traffic types in kbit per second:
- UDP and TCP
- Chat: IRC, AIM
- Citrix
- File Transfer: FTP, P2P
- Network services: DHCP, DNS, ICMP, and SNMP
- Mail: IMAP, POP3, and SMTP
- NetBIOS
- Remote control: RDP, SSH, Telnet, and VNC
- Web traffic: HTTP, HTTPS
- Total traffic
Installation is easy. There is a setup wizard. At installation, the core server’s local probe does auto-discovery to identify devices and set up sensors. Additional sensors (including NetFlow collectors) can be added manually.
PRTG uses SNMP, WMI, NetFlow, sFlow, jFlow, and Packet Sniffing to monitor Bandwidth, along with uptime/downtime monitoring and IPv6 support.
The core server is Windows only. Monitoring of a single site can be done via the web application, but the simultaneous view of multiple core servers requires using the enterprise app on Windows. A mobile app is also provided.
Source: paessler.com
Of course, paessler has recently introduced another byproduct for NetFlow called NetFlow tester. Here you can find complete information about NetFlow tester, and download it.
ManageEngine NetFlow Analyzer
This Analyzer provides real-time visibility into network bandwidth and traffic patterns and, In addition to NetFlow, it supports alternative technologies like IPFIX, NetStream, and J-Flow.
The ManageEngine NetFlow Analyzer provides a range of capabilities for managing complex networks making heavy use of NetFlow. They include real-time bandwidth monitoring and threshold alarms for set bandwidth usage, usage summaries, application and protocol monitoring, and much more. Alerts show up as pop-ups on the user interface. Multi-site traffic can be analyzed.Also, this product includes a smartphone app for mobile monitoring and alerting.
ManageEngine NetFlow Analyzer includes a feature to compare network performance reports, either for multiple devices or for individual ones, over time.So, network administrator can gains a broad overview of a quarter’s worth of traffic data, broken down to the minute. There are a variety of useful predefined reports, ranging from troubleshooting oriented to capacity planning and billing.
Other key features:
- Monitoring network bandwidth and traffic patterns
- Tracking network anomalies
- Reporting on all major flow formats like NetFlow, sFlow , cflow, J-Flow , FNF, IPFIX, NetStream, Appflow and so on
- Having capacity planning reports
- Identifying context-sensitive anomalies and zero-day intrusions
- Getting real-time insight into your network bandwidth and measuring bandwidth growth over a period time with long term reporting
- Detecting a broad spectrum of external and internal security threats
- Collecting, Analyzing flows from major devices like Cisco, 3COM, Juniper, Foundry Networks, Hewlett-Packard, extreme and other leading vendors
- Analyzing IP service levels for network-based applications and services using NetFlow Analyzer IP SLA monitor
ManageEngine NetFlow Analyzer comes in two versions:
- Enterprise
- Essential
The Essential version has fewer features, and its free version includes 30-days of unlimited monitoring, and after that it allows for monitoring of only two interfaces.
Source: ManageEngine.com
Download ManageEngine NetFlow Analyzer, Essential version
Download ManageEngine NetFlow Analyzer, Enterprise version
SolarWinds NetFlow Traffic Analyzer (NTA)
This software is stronger than Real-Time NetFlow Traffic Analyzer. In fact, NTA is a module in the SolarWinds Network Performance Monitor (NPM). NTA and NPM both are available in a 30-day fully-functional trial.
NTA can manage the original NetFlow program plus any variants and alternatives, including sFlow.
NTA breaks down traffic usage into useful categories like top 5 conversations, top 5 applications, and top 10 sources by utilization. Also, you can sort by ports, source, destination, and protocols, and view traffic patterns over minutes, days, or months.
The NetFlow Traffic Analyzer gathers flow data exported by the flow-enabled devices tracked by the SolarWinds network monitoring software. It works by combining flow data and Cisco Class-Based Quality of Service (CBQoS) data with the performance data gleaned from NPM.
Other key features:
- Network traffic analysis
- Bandwidth monitoring
- Application traffic alerting
- VMware vSphere distributed switch support
Source: solarwinds.com
Colasoft Capsa
Capsa is a network analyzer freeware for Ethernet monitoring, troubleshooting and analysis. This freeware network analyzer supports over 300 network protocols and create customizable reports.
Capsa includes two version:
- Free
- Enterorise (30-Day Trial)
Common Features:
- Adapter Monitors
- Manually Save Files
- IP Addresses Monitored (Unlimited in enterprise version, 10 address in free version)
- Session Timeout Length (Unlimited in enterprise version, 4 hours in free version)
Exclusive features of the enterprise version are:
- Online Auto-update
- Suspicious Conversation View
- DoS Attacked View
- DoS Attacking View
- Run Multiple Projects
- Support Multiple Adapters
- Worm View
- ARP Attack View
- Support Network TAP
- Printing
- Auto-Scheduling
- Packet Auto-output Function
- Export Data
- Log Output Function
- Custom Reports
- Security Analysis Profile
- Fast Speed Packet Replay
- Process View
- Diagnosis Function
- VoIP View
- TCP Port Scan View
- Application view
Source: colasoft.com
SolarWinds Engineer’s ToolSet (ETS)
This software includes best tools available to meet all network needs and helps users monitor and troubleshoot a network with over 60 tools for network management:
- NetFlow monitoring
- Network monitoring
- Auto discovery
- Configuration management
- Log management
- IP address monitoring
- SNMP
- Security
With ETS users can deploy an array of network discovery tools with specialized tools such as Real-time NetFlow Analyzer, and Config Compare. These network discovery tools are:
- Port Scanner
- Switch Port Mapper
- Advanced Subnet Calculator
- Manage Cisco devices
Also, SolarWinds Orion integration is offered to make troubleshooting a network easier and faster.
Source: solarwinds.com
Download SolarWInds Engineer’s Toolset
Kentik Detect
In fact, this tool is a pure Software-as-a-Service (SaaS) system. As such, it offers the scalability of the cloud. SaaS systems allow a third-party to host an enterprise’s applications and make those applications and services available to users over the internet. Essentially, using a SaaS system is like using the cloud.
Kentik Detect is composed of a custom high-availability time-series datastore (Kentik Data Engine) and a UI (Kentik Portal). In other words, when you combine Kentik Data Engine, a high-performance datastore, with Kentik Portal, a user interface, you get Kentik Detect. These protocols are:
- Netflow
- IPFIX
- sFlow
- SNMP
- BGP
Kentik Detect delivers network traffic intelligence at unprecedented speed, efficiency, and scale.
With this tool, you can integrate the data into other systems. The web-based interface is customizable, and the Kentik team continually adds new dashboards.
Alerting to notify you of unusual conditions can be set up by creating policies that define when an alert will enter the alarm state.
The Kentik Portal includes a function called Data Explorer, which lets you explore your network by breaking traffic data down into tables and graphs.
Source: kentik.com
——————————–
Sources:
